Cyber Threats #scareware#tech support scams#social engineering

Scareware and Tech Support Scams: How to Spot and Escape Them

Learn how fake antivirus alerts, browser lock screens, and Microsoft impersonators steal money and access — and how to shut them down fast.

7 min read

Every year, the FBI’s Internet Crime Complaint Center receives tens of thousands of tech support fraud reports. In 2023 alone, Americans lost over $924 million to tech support scams — a figure that keeps climbing. These scams don’t rely on sophisticated exploits. They rely on panic.

What Is Scareware?

Scareware is malicious or deceptive software designed to frighten users into believing their computer is infected, compromised, or failing. The “scare” does the heavy lifting. Once a user is alarmed enough, they make poor decisions: calling a fraudulent number, granting remote access, or purchasing fake software.

Scareware appears in several forms:

  • Fake antivirus pop-ups that mimic Windows Defender or McAfee alerts
  • Browser lock screens that freeze the tab and play looping audio warnings
  • Rogue security software that actually installs itself and demands payment to “remove” threats it invented
  • Malvertising — legitimate websites serving malicious ads that trigger scareware overlays

The technical sophistication is often minimal. Many scareware campaigns use JavaScript to fill the browser with a full-screen overlay, disable certain keyboard shortcuts, and repeatedly trigger the browser’s beforeunload dialog to trap users on the page.

The Microsoft Impersonation Playbook

One of the most common tech support scam variants impersonates Microsoft. The anatomy of an attack typically follows this pattern:

  1. Trigger: User visits a compromised or malicious site. A full-screen pop-up appears mimicking a Windows error screen, complete with the Microsoft logo, a fake error code (e.g., 0x80073b01), and a phone number.

  2. Phone call: The victim calls the number and reaches a scammer posing as “Microsoft Support” or “Windows Technical Department.” The scammer speaks confidently and uses technical-sounding language.

  3. Remote access request: The scammer asks the victim to install a legitimate remote access tool — commonly AnyDesk, TeamViewer, or UltraViewer — claiming they need to “diagnose” the problem.

  4. Fake diagnostics: Once connected, the scammer runs built-in Windows tools like eventvwr.msc (Event Viewer) or tree C:\ to display normal system output, then claims these are signs of critical infections or hacking activity. Event Viewer always shows some warnings — scammers exploit this.

  5. Payment: The scammer demands payment — often $200–$500 — via gift cards, wire transfer, or cryptocurrency. Some go further and attempt to access banking websites or install persistent malware before disconnecting.

Microsoft never proactively contacts users about computer problems. This is not a policy that changes. Any unsolicited contact claiming to be Microsoft support is fraudulent.

Browser Lock Screen Mechanics

Browser lock screens are particularly effective because they appear to “freeze” the computer. In reality, only the browser tab is affected. The technique typically works like this:

// Simplified scareware lock screen logic
window.onbeforeunload = function() { return "WARNING: Do not close!"; };
document.addEventListener('keydown', function(e) {
  if (e.key === 'F11' || e.altKey) e.preventDefault();
});
document.documentElement.requestFullscreen();

The page enters fullscreen mode, suppresses common escape shortcuts, and loops an audio warning. To an inexperienced user, this looks like the entire system is locked.

Escape techniques:

  • Press F11 to exit fullscreen (often still works)
  • Use Ctrl+W or Ctrl+F4 to close the tab
  • Open Task Manager (Ctrl+Shift+Esc) and end the browser process
  • On Mac, use Cmd+Option+Esc to force-quit the browser

Remote Access Tool Abuse

Legitimate remote access tools like AnyDesk and TeamViewer are dual-use. When scammers gain access through these tools, they can:

  • Browse files and steal documents, photos, or credentials
  • Open banking sites and request fraudulent transfers
  • Install backdoors or keyloggers for persistent access
  • Lock users out by changing account passwords

AnyDesk and TeamViewer have both implemented scam detection features, including warnings when connections come from known scam infrastructure. However, scammers frequently pivot to lesser-known tools to avoid these protections.

Red Flags at a Glance

Warning SignWhat It Means
Unsolicited phone call from “Microsoft”Always a scam
Pop-up with phone numberNever call it
Request to install remote access softwareHang up immediately
Payment requested via gift cardsDefinitive scam indicator
Urgency and fear languageClassic social engineering
”Error codes” on screenNormal Windows output being weaponized

How to Protect Yourself and Others

For individuals:

  • Keep browsers and extensions updated; many scareware sites exploit outdated JavaScript engines
  • Use an ad blocker (uBlock Origin) to prevent malvertising
  • Educate elderly family members — they are disproportionately targeted
  • Never purchase gift cards as payment for any technical service

For IT administrators:

  • Block known tech support scam domains via DNS filtering (Cisco Umbrella, Pi-hole)
  • Disable or control installation of unapproved remote access tools via application allowlisting
  • Train users to recognize scam tactics with simulated scenarios

If you’ve already been scammed:

  1. Disconnect from the internet immediately
  2. Run a legitimate antivirus scan (Malwarebytes, Windows Defender)
  3. Change all passwords from a separate, clean device
  4. Contact your bank if financial information was accessed
  5. Report to the FTC at reportfraud.ftc.gov and the FBI’s IC3 at ic3.gov

Scareware succeeds because it manufactures urgency. The antidote is knowing, in advance, that these alerts are fake — and having a practiced response ready before panic sets in.

#phishing #remote access #social engineering #tech support scams #scareware